Third-party Tracking on the Web: A Swedish Perspective Joel Purra - - PowerPoint PPT Presentation

Third-party Tracking on the Web: A Swedish Perspective

Joel Purra and Niklas Carlsson

Linköping University, Sweden

@ IEEE LCN, Dubai, Nov. 2016

• Bullet 1
• Bullet 2

We are all tracked …

• When browsing, information is recorded by the servers

you communicate directly with

• Resources from other services might be requested as

well, with or without being visible.

• Information can be passively recorded during transmission;

some of which can't be avoided

• Specialized tracking code can actively extract extended

information

Why is tracking used?

• Information is collected and stored to gain knowledge

about the visitors a website has.

• Website owners: to improve/personalize content
• Advertisement firms: to sell targeted ads
• Media analytics firms: to verify statistics (for ads).
• Data brokers: to package and sell (inferred) user data

The downside

• Users lose control over who they share information
• with. This can be considered an invasion of privacy.
• Information is easily stored and easily retrieved,
• Anything done online in the past can haunt you for ever.
• Self-censorship, effectively limiting freedom of speech.
• What is illegal for governments, companies are allowed

to do, through user agreements. Governments still have control over companies within their jurisdiction.

• The full scope of the tracking is still unknown
• Could become a historical thought police.
• Could mean online companies have a grip on all current

and future politicians, company leaders and celebrities.

Passive tracking and HTTPS

• Bullet 1
• Bullet 2

Passive vs active tracking

• Passive tracking: Anyone can listen in anywhere along the

network path ...

• People are becoming increasingly aware of monitoring by

ISPs and nation state ...

• HTTPS prevents passive tracking of some information (e.g.,

exact page, browser model, OS, language settings, cookies, etc.)

Passive vs active tracking

• Passive tracking: Anyone can listen in anywhere along the

network path ...

• People are becoming increasingly aware of monitoring by

ISPs and nation state ...

• HTTPS prevents passive tracking of some information (e.g.,

exact page, browser model, OS, language settings, cookies, etc.)

• Active tracking: A script or plugin executed in the browser

to extract and collect extended information.

• HTTPS does not prevent this.
• Example info include time spent on each page, window size,

screen resolution, color depth, mouse movements, scrollbar location, installed fonts, plugins and extensions.

Passive vs active tracking

• Passive tracking: Anyone can listen in anywhere along the

network path ...

• People are becoming increasingly aware of monitoring by

ISPs and nation state ...

• HTTPS prevents passive tracking of some information (e.g.,

exact page, browser model, OS, language settings, cookies, etc.)

• Active tracking: A script or plugin executed in the browser

to extract and collect extended information.

• HTTPS does not prevent this.
• Example info include time spent on each page, window size,

screen resolution, color depth, mouse movements, scrollbar location, installed fonts, plugins and extensions.

• We focus on third-party tracking, but ask if sites

implementing HTTPS use less tracking themselves

This paper …

• … presents measurement methodology and

characterization of the current third-party tracking landscape

This paper …

• … presents measurement methodology and

characterization of the current third-party tracking landscape

• Third-party usage across a number of website classes and

breakdown the coverage of different tracker types

• Aggregate analysis that combines the tracker services based
• n the organizations operating them so to gain insights into the

big players aggregate coverage

• Try to answer if websites that have adopted HTTPS in fact are

more privacy conscious (on behalf of their users) and use less third-party tracking.

This paper …

• … presents measurement methodology and

characterization of the current third-party tracking landscape

• Third-party usage across a number of website classes and

breakdown the coverage of different tracker types

• Aggregate analysis that combines the tracker services based
• n the organizations operating them so to gain insights into the

big players aggregate coverage

• Try to answer if websites that have adopted HTTPS in fact are

more privacy conscious (on behalf of their users) and use less third-party tracking.

This paper …

• … presents measurement methodology and

characterization of the current third-party tracking landscape

• Third-party usage across a number of website classes and

breakdown the coverage of different tracker types

• Aggregate analysis that combines the tracker services based
• n the organizations operating them so to gain insights into the

big players aggregate coverage

• Try to answer if websites that have adopted HTTPS in fact are

more privacy conscious (on behalf of their users) and use less third-party tracking

Methodology

• Developed data collection tool
• Headless phantom.js browser
• Visit front page of large number of sites
• HTTP vs HTTPS (with and without www)
• Measure redirects etc.
• Process/execute scripts to build pages
• No blocking
• Extract URL, domain, and other info
• Classify resources
• Internal vs. external
• Known trackers (using Disconnect.me)
• Type of resource; e.g., advertising, analytics, content

Swedish perspective

• Measurements performed from Sweden
• Important and popular Swedish domains
• Global baseline

What are third-party resources?

• A resource belonging to the origin's primary domain is

called internal. Otherwise it's an external resource.

• Assumption: Any external resource is a third-party

resource.

Resource examples Branded (videos, services, images) Unbranded (fonts, useful scripts, images) Ads (scripts, images, flash) Web beacons (hidden images, analytics scripts) Domain examples example.se (primary domain) www.example.se (subdomain) example.org (third-party domain) doubleclick.net (known tracker domain)

Blocked domains on Disconnect.me

• Many have few: 521 out of 980 organization have 1

domain; 331 have 2 domain.

• Some have many: Google has 271, Yahoo 71, AOL

40, Microsoft 32.

Blocked domains on Disconnect.me

• Many have few: 521 out of 980 organization have 1

domain; 331 have 2 domain.

• Some have many: Google has 271, Yahoo 71, AOL

40, Microsoft 32.

• Spread over advertising, analytics, content

Blocked domains on Disconnect.me

• Many have few: 521 out of 980 organization have 1

domain; 331 have 2 domain.

• Some have many: Google has 271, Yahoo 71, AOL

40, Microsoft 32.

• Spread over advertising, analytics, content
• “Disconnect category”: Google, Facebook, Twitter

• Bullet 1
• Bullet 2

• Bullet 1
• Bullet 2

• Bullet 1
• Bullet 2

• Bullet 1
• Bullet 2

External third-party resources

• Upper bound: Third-parties typically have server logs and/or

analytics software to record your online habits

• Each third-party (external) resource leaks at least some info

External third-party resources

• Upper bound: Third-parties typically have server logs and/or

analytics software to record your online habits

• Each third-party (external) resource leaks at least some info

External third-party resources

• Upper bound: Third-parties typically have server logs and/or

analytics software to record your online habits

• Each third-party (external) resource leaks at least some info
• External resource usage high
• Especially among most popular domains (e.g., 93% at least some)

External third-party resources

• Upper bound: Third-parties typically have server logs and/or

analytics software to record your online habits

• Each third-party (external) resource leaks at least some info
• External resource usage high
• Especially among most popular domains (e.g., 93% at least some)

External third-party resources

• Upper bound: Third-parties typically have server logs and/or

analytics software to record your online habits

• Each third-party (external) resource leaks at least some info
• External resource usage high
• Especially among most popular domains (e.g., 93% at least some)
• HTTP and HTTPS results similar (except for rand 100k .se)

Known trackers

• Lower bound
• Use Disconnect’s tracker list (2,149 known domains: resp. for <10% external)
• Only front page

Known trackers

• Lower bound
• Use Disconnect’s tracker list (2,149 known domains: resp. for <10% external)
• Only front page

Swedish domain categories Global categories

Known trackers

• Lower bound
• Use Disconnect’s tracker list (2,149 known domains: resp. for <10% external)
• Only front page
• Biggest differences: popular vs. less popular (e.g., advertising)

Global categories

Known trackers

• Lower bound
• Use Disconnect’s tracker list (2,149 known domains: resp. for <10% external)
• Only front page
• Biggest differences: popular vs. less popular (e.g., advertising)
• Popular has at least one known tracker in 95+ % of cases

Global categories

Known trackers

• Lower bound
• Use Disconnect’s tracker list (2,149 known domains: resp. for <10% external)
• Only front page
• Biggest differences: popular vs. less popular (e.g., advertising)
• Popular has at least one known tracker in 95+ % of cases
• 70+ % use at least 2; 10% more than 12; 1% allow 48

Global categories

Known trackers

• Lower bound
• Use Disconnect’s tracker list (2,149 known domains: resp. for <10% external)
• Only front page
• Biggest differences: popular vs. less popular (e.g., advertising)
• Popular has at least one known tracker in 95+ % of cases
• 70+ % use at least 2; 10% more than 12; 1% allow 48
• Other: Media worst (e.g., 50% >7 trackers); content typically not blocked …

Swedish domain categories

HTTP vs HTTPS

• Small differences between HTTP and HTTPS
• If anything, slightly higher for HTTPS …

HTTP vs HTTPS

• Small differences between HTTP and HTTPS
• If anything, slightly higher for HTTPS …

HTTP vs HTTPS

• Small differences between HTTP and HTTPS
• If anything, slightly higher for HTTPS …
• As tracked by third-parties when using HTTPS as

when using HTTP

The big players

• Google has 90+ % coverage in popular domains
• Even higher than disconnect (owns domains outside the

Disconnect category)

• Facebook and Twitter far behind

Swedish domain categories Global categories

Conclusions

• Measurement framework for automated, repeatable

data collection of websites (tools made public)

• Analysis of the third-party tracking landscape
• Swedish perspective vs global baseline
• Across domain categories
• Breakdown based on tracker types
• HTTP and HTTPS
• HTTPS domains use at least as much (if not more)

third-party tracking

Niklas Carlsson (niklas.carlsson@liu.se)

Research overview and pubs: www.ida.liu.se/~nikca/

Thanks for listening! Third-party Tracking on the Web: A Swedish Perspective